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I. INTRODUCTION 



An important aspect in many modern communication systems is the ability to exclude unauthorized parties from 
gaining access to confidential material. Although cryptosystems in general have an extensive history, until fairly 
recently they have been based on simple variations of the same theme: information security among authorized parties 
relies on sharing a secret key which is to be used for encryption and decryption of transmitted messages. While in this 
way confidentiality of the sent message may be secured, such systems suffer from the (obvious) drawback of non-secure 
'-^J \ key distribution. 

In 1978 Rivest, Shamir and Adleman first devised a way to resolve this problem which led to the celebrated RSA 
public-key cryptosystem |l| (for historical accuracy, a similar system has been suggested years earlier in the British 
GCHQ but was kept secret). The idea behind public key cryptosystems is to differentiate between the encryption- and 
decryption- keys; private key(s) are assigned to authorized users, for decryption purposes, while transmitting parties 
t-H , only need to know the matching encryption (public) key [2] • The two keys are related by a function which generates the 
encryption mechanism from the decryption key with low computational costs, while the opposite operation (evaluating 
the decryption key from the encryption mechanism) is computationally infeasible. Such functions are called 'one-way' 
or trap-door functions; the RSA algorithm for instance, is based on the intractability of factorizing large integers 
generated by taking the product of two large prime numbers. 

The proliferation of digital communication in the last few decades has brought in a demand for secure communi- 
£f) ' cation leading to the invention of several other public-key cryptosystems, most notable of which are the El-Gammal 
cryptosystem (based on the Discrete Logarithm problem), systems based on elliptic curves and the McEliece cryp- 
tosystem (based on linear error-correcting codes) Q ■ A common denominator of all public-key algorithms is the high 
computational complexity of the task facing the unauthorized user; this is typically related to hard computational 
■ problems that cannot be solved in practical time scales. 

A new public-key cryptosystem based on a diluted Ising spin-glass system has been recently proposed in The 
suggested cryptosystem is similar in spirit to that of McEliece and relies on exploiting physical properties of the 
MacKay-Neal (MN) low-densityparity-check (LDPC) error-correcting codes. In particular, in the context of MN 
codes it has been shown 0, 0, @ that for certain parameter values successful decoding is highly likely, while for 
others (particularly when the number of parity-checks per bit and the number of bits per check tend to infinity) the 
. , 'perfect' solution, describing full retrieval of the sent message, admits only a very narrow basin of attraction; iterative 
algorithmic solutions lead in this case, almost certainly, to a decryption failure. One can use these properties to 
devise an LDPC based cryptosystem jj] . The narrow basin of attraction ensures that a random initialization of the 
decryption equations will fail to converge to the plaintext solution while the naive approach of trying all possible 
initializations is clearly doomed for a sufficiently large plaintext size. The 'one-way' function relies on the hard 
computational task of decomposing a dense matrix (the public key) into a combination of sparse and dense matrices 
(private keys) [7J. 

In this paper we examine the suggested cryptosystem from an adversary's viewpoint. We consider an unauthorized 
party that has acquired partial or full knowledge of one or more of the private keys, and/or of the message, and we 
evaluate the critical knowledge levels required for unauthorized decryption. In addition, we examine the decryption 
reliability by authorized users due to the probabilistic nature of the cryptosystem. 

The paper is organized as follows: In the following section we give an outline of the suggested cryptosystem. In 
section ITTT1 we formulate unauthorized-decryption scenarios with partial knowledge based on a statistical mechanical 
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framework. In section llVl we derive the observable quantity that measures decryption success of the unauthorized user 
as a function of the attack parameters and in section[3we examine various cases and present numerical results as well 
as the related phase diagrams. In sections IVII and TVIII we briefly study the basin of attraction of the ferromagnetic 
solution, and the reliability of the decryption mechanism (for authorized users) , respectively. The implication of the 
analysis are discussed in section IVIIII 



II. DESCRIPTION OF THE CRYPTOSYSTEM 

The cryptosystem suggested in Q| is based on the framework of MN error-correcting codes Q . An outline of the 
encryption/decryption process is as follows. 

A plaintext represented by £ G {0, 1} is encrypted to the ciphertext r G {0, 1} M (with M > N) using a predeter- 
mined generator matrix G G {0, 1} and a corrupting vector £ G {0, 1} M with P(d) = p S^^i + (1 — p) <5<^o for each 
component 1 < i < M; the Kronecker tensor S a b returns 1 when the arguments are equal (a — b) and zero otherwise. 
The generated ciphertext is of the form: 

r = G£ + C (mod 2) (1) 

The (M x N) matrix G together with the corruption rate p G [0, 1] constitute the public key. 

The encryption matrix G is constructed by choosing a dense matrix D (of dimensionality M x M) and two randomly- 
selected sparse matrices A (of dimensionality M x N) and B (of dimensionality M x M) through G = B~ 1 AD (mod 
2). The matrices A and B are characterized by K and L non-zero elements per row and C and L non-zero elements 
per column respectively. The resulting dense matrix G is modeled as being characterized by K' and C' non-zero 
elements per row and per column respectively with K',C' — * oo (while K'/C' — N/M is finite). In fact, the dense 
matrix G is of an irregular form due to the inverse of the sparse matrix B as well as the product taken with the dense 
matrix D] we will model the matrix G by a regular dense matrix to simplify the analysis. The parameters K, C and 
L define a particular cryptosystem while the matrices A, B and D constitute the private key. 

The authorized user may obtain the plaintext from the received ciphertext r by taking the (mod 2) product 
Br = A£ + B£. Finding a set of solutions <r and r such that the equation 

Act + Bt = A£ + BC (mod 2) (2) 

is true will lead to candidate solutions of the decryption problem (of which the most probable one will be detected 
according to a further selection criterion). For particular choices of K and L, solving the above equation can be 
achieved via iterative methods which have common roots in both graphical models and physics of disordered systems 
such as Belief Propagation 5] Belief Revision Q and more recently Survey Propagation [j| ; where state probabilities 
for the decrypted message bits P(a,T\r) are calculated by solving iteratively a set of coupled equations, describing 
conditional probabilities of the ciphertext bits given the plaintext and vice versa. This problem is identical to the 
decoding problem of a regular MN error-correcting code; for the explicit iterative decoding equations see equations 155t 
as well as 

The unauthorized user, on the other hand, faces the task of finding the most probable solutions to the equation 

G£ + C = Go- + t (mod 2) . (3) 

The above decryption equation is effectively identical to the decoding problem of Sourlas error-correcting codes , 
with the public matrix G being dense. Most notably, in the context of Sourlas codes, finding solutions to © is strongly 
dependent on initial conditions: for all initial conditions other than the plaintext itself, the iterative equations of Belief 
Propagation will fail to converge to the plaintext solution jj, 0, la, LL2f such that obtaining the correct solution for © 
without knowledge of the private key will become infeasible. Obtaining the private keys by decomposing G into A, B 
and D is known to be a hard computational problem even if the values of K, C and L are known 0. 

We would like to point to the fact that there may exist more than one triplet of matrices {A, B, D} such that 
G = B~ 1 AD. with D being a dense matrix, finding a set of matrices A' , B' and D' such that their combination 
produces G = (B')^ 1 A' D' requires an exponentially diverging number of operations, with respect to the system size, 
making the decomposition computationally infeasible. For D = 1 (as was the original formulation in Q) finding a 
pair of sparse matrices A' and B' such that G = (£?') -1 A' requires only a number of operations that is polynomial in 
N, and the cryptosystem is therefore not secure. 

Other advantages and drawbacks of the new cryptosystem appear in 
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III. FORMULATION OF THE ATTACK 

An essential ingredient of any cryptosystem is a certain level of robustness against attacks. The robustness of the 
current cryptosystem against attacks with no additional secret information has already been reported in y| . In this 
section we study the vulnerability of the new cryptosystem to various attacks, characterized by partial knowledge of 
the secret keys and/or the plaintext itself; the additional information manifests itself in a set of decryption equations 
similar to @ in which partial information of the secret keys (and plaintext) is used in conjunction with the publicly 
available information of ©• 



The cumulative information provided by the different sets of equations will potentially allow for a successful decryption. 
To this extent, knowledge of the matrix B is of utmost importance since obtaining partial knowledge of the syndrome 
vector and equation @ is only accessible through decryption using the matrix B. Let us consider that an unauthorized 
user has acquired knowledge of a number of rows JaM, JbM and jdM of the secret matrices A, B and D (with 
7* G [0, 1]). Relation @ then provides 7M = min^^, j B , 7d}M decryption equations QJ based on sparse matrices. 
To analyze the attack we will thus from now on assume that a block (7M x M) of all matrices is known to the 
unauthorized user with 7 6 [0, 1]. In this case, the products Y^jLi ^ij r j f° r * = lj • • • >7-^ can be taken and the 
unauthorized user will arrive at the following decryption problem: 

private : (Acr) l + (Br); = + (BC)i for rows i = 1, . . . , 7M (4) 

public : (Gcr), + (It), = (G£) 4 + (IQi for rows i = l,...,M (5) 

where we absorbed the matrix D using er — > Dcr and £ — > D£; in practice, after decryption, one will have to use of 
the inverted matrix L> _1 to obtain the original plaintext. All solutions <x and r will have to simultaneously satisfy 
(@J and ©. The matrices A and B will be described by K and L non-zero elements per row. The average number of 
known non-zero elements per column in A and B will be denoted C and L, respectively. Since 7 is the probability of 
selecting a non-zero element in the known part of the private key it follows that C = 7C and L = jL. For all columns 
j = 1, . . . , M we will denote the number of non-zero elements in A and B by the random variables Cj(— YU=i Aij) 
and Lj(= Y^J—i which are described by the distributions: 

7 )C-c 3 C. = ,...,C (6) 

l) L -~ L i L j = 0,...,L (7) 

To facilitate the statistical mechanical description we will now replace the field {0, 1; +(mod 2)} by the more familiar- 
ising spin representation {—1,1; x}. Equations (QJ and (JSJ will also be modified: From the matrices A,B and 
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FIG. 1: The matrix B of dimensionality M x M used as a private key in decryption. The scenario we consider here is that 
unauthorized users have acquired knowledge of 7M rows of the matrix. The (7M x M) block may have Lj = 0,...,L non-zero 
elements per column for all j. 



P(L f ,L) = 



7 c% (1 _ 
1 l 1 (1 _ 



i 




y///////////////A 


<///////////, 

Pi 

W////////A 



4 



G,I we construct the binary tensors A — {■A-U- L —i K ;j 1 —j h ) \ 1 _: ii < • • * < N, 1 < ji < ■ ■ ■ < Jl < Af} and 

G = {Oii!— i K r,j)'i 1 — *i < < < ^ 1 < j < M}. The elements of these tensors are •A(i 1 ...i K; j 1 ...j X ,> = 1 
if A and £? have respectively a row in which the elements {i±, . . . , %k\ and {ji, . . . , j'l} are all 1 and otherwise. 
Similarly, Gu x ..A K i\j) = 1 if G and J have respectively a row in which the elements {ii, ■ ■ ■ ,1k'} and {j} are all 1 
and otherwise. The notation we used to indicate tensor elements, (ii . . . Ik)i denotes that the sites ii, . . . ,1k are 
ordered and different. 

The fact that the number of non-zero elements per column in A, B and G, J, respectively, are C^, Li and C", 1, for 
all columns, will be imposed by the constraints: 

(8) 
(9) 
(10) 

(11) 

n—t K > 

To compress notation in what follows we will denote the set of indices involved in the tensors A and Q by Ak = 
(ii ■•'Ik) and VL L = (ji ■ ■•ji). 
For the system described in i|4l5|) the microscopic state probability P(<t,t) can be written as 

P{a, TI& C, AG) = \ [A(<r, t; i, C A) A(er, r; £, C, 5) $(<t; £) *(t; C)] e"^ ^ (12) 

(notice that the dependence on £, C is n °t explicit, but through the received vector r) where Z is the partition function 
and H{<t,t) the energy: 
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with F a = | log 1 p<7 and F T = | log 1 Pt . The fields i 7 ^ and F T represent prior knowledge of the statistics from 
which the plaintext and the corrupting vector are drawn, such that 

P{ii) = 0--P*)Su,i +P*Su,-i P<? 6 [0,1] 



P(Q) = (1 -Pt)8q,i +PtSq, 



Pr e [0, 1] 



(14) 
(15) 



The indicator functions A(tr, t; £, £, A) and A(er, t; £, £7) restrict the space of solutions er 6 { — 1,1}^ and t 6 
{ — 1, 1} M to those that obey equations |@} and JSJ: 



A(<x,t;£, C, (?) = J] 



i+ g^nj n ^ n ^Cj-i) 
i+\GA K> n L ,{ n °'*^> n ^i- 1 



and finally the terms $(■ ■ •) e {0, 1} correspond to 
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where the quenched variables Cj, dj S {0, 1} model prior knowledge of bits of the plaintext and the corrupting vector 
such that if for some i the plaintext bit £j is known then the thermal variable takes the quenched plaintext value 
(and similarly for the corruption vector Q and tj). For the distribution of Ci and dj we will consider 

P(d) = w tr S BtA + (1 - «v) *c«,o 1^6 [0,1] (20) 



P{dj) = W T S dj ,l + (1 - W T ) S dj ,Q 



W T G [0, 1] 



(21) 



The system described by <|12|) represents a set of variables interacting via multi-spin ferromagnetic couplings of finite 
connectivity, represented by a combination of matrices, in the presence of the random fields ^F^ and CjF T . At (3 = 1 
(which corresponds to the Nishimori temperature |13|') we will evaluate the free energy per plaintext bit 



(22) 



The macroscopic observable we are interested in calculating is the overlap m — limjv^oo X)i between the plain- 
text and the Bayes Marginal Posterior Maximizer (MPM) estimate of the plaintext & = sign^ (T =± at p(ai\r) where 
p((Ji\r) is the microscopic state probability H12|) . Disorder averages ()r are taken over the probability distributions 
(|14I15I20I21() and over the distribution of the tensors A and Q obeying the constrains H8I11|) : 
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where TV" and Af' are the corresponding normalisation constants. 

The parameters w a ,w T , F&, F T and 7 describe the attack characteristics. 



(23) 



(24) 



IV. THE FREE ENERGY AND DECRYPTION OBSERVABLES 

The calculation generally follows that of [|| . To perform the various disorder averages we begin by invoking the 
replica identity (logZ) = lim n _ ) .o j[l°g{Z n ) and making the gauge transformations er^ — > cr^i, — > Tj£j, -4a a -J2z, — * 
■Aa k q l UieA K & Ujen L Cj and Sa k ,q l , -> <?A K ,fi £ , ILgA A ., & Il fet^, 0- This wil1 allow us to disenta ngle the variables 
{£, £} from expressions involving the tensors A and Q in (|16I17|) . Replacing the 5 functions in (|23I24|) by their integral 
representations allows us to perform the tensor summations, leading to: 

(A A (a,T),Ag((T,T)) = 

UN' J (2ir) 2N J (2tt) 2M 

N M 

»=i v 3=1 

x e (irE^ = oE (ai ...„ m) ^(Ef =1 ^? 1 -'<"') K ^(E, A i I ^r---r) i 

x e (i)"E^=oE (Q1 ...„ TO) ^ T (Ef =1 ^ CT r-< m ) K '(E^ 1 v J r; I ... 7 - r ) (25) 
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In the above expression we can now identify the following order parameters 

N N 
i=l i=l 
M M 

which we insert in i|25|) via suitably defined (5 functions (giving rise to the Lagrange multipliers q ai ... am , f ai .,, am , 
t ai ... a and w ai ,,, a a ). To proceed with the calculation one needs to assume a certain order parameter symmetry for 
the above quantities and their conjugates for all to > 1. The simplest such assumption renders all replica TO-tuples 
equivalent and all order parameters within this replica symmetric scheme need only depend on the number to. This 
effect can be described by the introduction of suitably defined distributions, the moments of which completely define 
the m-index order parameters 



Qai—otm — q j dx tt(x) x m q ai ... am — Q J dx tt(x) x m (28) 

r ai ... am =r J dy p{y) y m r ai ... Qm = f J dy p{y) y m (29) 

t ai ... am =t dx <f>(x) x m i ai -a m =i dx <f>(x) x m (30) 



u ai - a , n = u J dy if}{y) y m u ai ... am = u J dy ip(y) y m (31) 

where all integrals are over the interval [—1,1]. The Nishimori condition ((3 — 1), which corresponds to MPM 
decoding |l4| , also ensures that this simplest replica-symmetric scheme is sufficient to describe the thermodynamically 
dominant state |l3l Il5l|. Furthermore, it is worthwhile mentioning that extending the replica symmetric calculation 
to include the one-step replica symmetry breaking ansatz is unlikely to modify the location of the transition points 
identified under the replica-symmetric ansatz, as has been recently shown in a similar system |16| . Using the above 
ansatz we perform the contour integrals in Q25|). and trace over the spin variables; then, in the limit n->0we obtain: 

~nj ni 

-CJ la [w,7t] - —Ji b [p,p] - C'J lc [<f>,<j>] - —Jid[^^\ (32) 

+ ^2afap] + V] + ^3aM] + ^ = J 3b [pJj}^ -{jl + J^j lo S 2 

where the extremization is taken over the distributions defined in I|28I31[) and the various integrals J** are given by 
J la [n } Tr} = J dxdx n(x)n(x) log(l + xx) J lb [p 7 p] = J dydy p{y)p{y) log(l + yy) (33) 

Ji c [<f>,(})]= / dxdx <f>(x)4>{x) \og{l + xx) Ji d [ip,xp]= dydy ip{y)4>(y) log(l + yy) (34) 



„ K L 

J2a[n,p}= [[[ dx k Tr(x k ) Y[dy e p(ye)} log(l + ^k J| ye) (35) 

k=l 1=1 k e 

K' 

J2b[(p,^]= dy ip(y) [J| dx k (f>(x k )} log(l + y %k) (36) 

J k=l k 



■ha[n, 4>] = / II d kvc>) I (1 - 7) C (log K 1 - c ) + ^V^"^ J^ 1 + ^' A ) 

^ c' = l [ \ A=± c' / 

+ (/[II ( lo S E K 1 - c ) + ^A,i]e^ fCT + X * X ) W 1 + ^' A ) 



(37) 
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^3i,[p,^] = Jdyfo) |(l- 7 ) L ^log^[(l-d) + ^ A , 1 ]e /3F ^ A (l + yA)^ 
+ ( /[[] <*p(a*)] (log ]T [(1 - d) + d6x,i]e? F *< x H(l + x t X)(l + y\) 



d,C I. 



where 



C=^P(C;C)C L=^P(L-L)L 



(38) 



(39) 



c=o 



L=0 



Averages denoted (• ■ -)q and (• ■ -)i are over the densities JBJ and JJJ with C — 1, . . . , C and L = 1, . . . , L. Functional 
differentiation of (|32Jl with respect to the densities of 128I31|I results in the following saddle point equations: 
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j dx k TT(x k )Y\_dyip(yi)} 6 

k=l 1 = 1 

K L-l 
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(40) 
(41) 

(42) 
(43) 



and 



ir(x) = Wa S[x — 1] 



(44) 



+ 



(1 -w a ) 
C 



r C C-l I I C-l C 

C I [J[ d ^Vrj) n dn(x c )} (six- tanh[/3F CT £ + ^ ath(4 c ) + ^ ath(y c , 

J c' = l c=l \ \ c=l c' = l 
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p(x) = w T 6[x — 1] 

, (i-O 



(45) 
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(46) 



a) / II d <^') | (! ^ - tanh[/3F CT £ + £ ath(&0] j 

„ C / / <5 C'-l 

/ [JJ d7r(x c )] / 6 ix - tanh[/iF CT £ + E ath (£ c ) + ^ ath (^')] 
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iP(x) = w T 5[x - 1] (47) 
+ (1 - w T ) J (1 - 7 ) L (S[x - tanh(/3F T C)]) c + / AjJ d#£j)] / « f a; - tanh[/3F r C + J2 ath (^)] 



i=i \ \ i=i 



In general, the coupled set of equations (|40jl - l|47|) are to be solved numerically. Among the set of a that satisfy 
equations (@J and 10 we choose the MPM estimate of the plaintext ^ = signj^.^ ui p(<Ji\r) = sign(<7i) (thermal 
average) by using Nishimori's condition (or = 1) 01- Then, the overlap m = liniTv^oo -k ^ becomes 



m = w a + (l-w a ) I dh P(h) sign(ft) (48) 

ath(y c /)] 



+ (/^n d *( £c )] / 5 ( h - tanh [/3^c + E ath ( ic ) + £ ath feO] 



(49) 



from which it can be seen that the perfect (ferromagnetic) solution m = 1 is achieved when w a = 1 (complete 
knowledge of the solution) or when <f>(x) = S[x — 1]. This also implies that all densities involved in (|32l) X(x) — 
{tt(x), . . . , ip(x)} acquire the form X(x) = S[x — 1] giving a free energy of the form 

/i^M = log 2 -§/3F T (C) c (50) 

The physical meaning of the terms 5[x — 1] in (|44I47(I is that the acquired microscopic knowledge gives a probabilistic 
weight at the ferromagnetic state. The state m = is obtained if w a = F„ = and n(x) — 4>{x) — 5[x] (paramagnetic 
solution). 



V. PHASE DIAGRAMS 



In this section we obtain numerical solutions for various attack scenarios. In all cases studied we assume an 
unbiased plaintext (p a = 1/2, F a — 0); for brevity we refer to the remaining bias parameter, the corruption level 
denoted p T in previous sections, simply as p. All experiments have been carried out using a regular cryptosystem with 
K = L = 2, being the original cryptosystem suggested in Q. In principle, one can use any set of regular or irregular 
matrices, provided one identifies the corresponding dynamical transition point. However, having been thoroughly 
studied previously, the current construction serves as a particularly suited benchmark. 

Solving the coupled equations ({40147(1 we typically observe that for sufficiently small values of p the ferromagnetic 
state m = 1 is the only stable solution whereas at a corruption value that marks the dynamical (spinodal) transition 
p s , an exponential number of solutions with m ^ 1 are created (either suboptimal ferromagnetic or paramagnetic, 
depending on the values of (K,C,L)). For all p > p s perfect decryption will be difficult to obtain. This transition 
also defines the corruption level below which an unauthorized attacker, that have acquired partial information of the 
secret keys, will be successful. 

We will concentrate on two main attacks: (i) The attacker has partial knowledge of the keys (primarily the matrix 
B). (ii) The attacker has partial microscopic knowledge of the plaintext and/or corruption vector. 

In figure |21 we present a phase diagram describing regions with perfect (m = 1) or partial/null (|m| < 1) decryption 
success as evaluated from solving equations (l''>2t and l|48() . We plot the dynamical transition corruption level p s as 
a function of the private key fractional knowledge 7 for different values of w a and w T (we have set p a = 1/2 which 
corresponds to an 'unbiased' plaintext). In the limit 7 = (i.e., no knowledge of the matrices), while m — 1 may be a 
stable solution, the decryption dynamics is fully dominated by |m| < 1 states. For 7 = 1 the cryptosystem describes 
a specific MN code and perfect decryption can occur below p s . 
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FIG. 2: Phase diagram of the spinodal corruption-rate against the fractional knowledge of the private key 7 for a (K, C, L) = 
(2,6,2) cryptosystem for (w a ,w T ) — (0,0) (solid line) and (0.2,0.2) (dashed line). Microscopic knowledge of the plaintext and 
the corrupting vector enlarges the perfect decryption area, as expected. 



The interaction between the sparsely and densely © connected decryption components is non-linear and non- 
trivial; however, as a first approximation one can view the fractional matrix knowledge 7 as changing the effective 
sparse component, which is the main contributor in the decryption process. To that end 7 will have a direct impact 
on the effective code rate N/(Mj), the average connectivity 7C and the connectivity distribution. It is clear that 
at an effective code rate 1 (7 = N/M = 1/3 in the case of the parameters used in figure [21 decryption is even not 
theoretically feasible. The reason figure |3 points to a possibility of decryption below this value is due to additional 
information brought in by the dense components we ignored in this simplistic description. 

We also examined the effect of prior microscopic knowledge of the plaintext/corrupting vector (w a , w T > 0) on the 
area of perfect decryption; which clearly increases with the knowledge provided, as expected. Also this can be viewed 
as a change to the effective code rate. This time, the partial microscopic knowledge of either plaintext or corrupting 
vector (or both) serves to reduce the effective number of variables and hence the code rate itself; lower code rate will 
typically allow for perfect decryption in worse corruption conditions as can be seen in figure [5] 
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FIG. 3: Phase diagrams of the spinodal corruption-rates against the fractional knowledge of the private key 7 for a (K, C, L) = 
(2, 6, 2) cryptosystem. Left picture: (w a , w T ) = (0.1, 0) (solid line) and (0, 0.1) (dashed line). Right picture: (w a , w T ) — (0.2, 0) 
(solid line) and (0,0.2) (dashed line). For sufficiently large 7- values microscopic knowledge of the corrupting vector becomes 
more important to the unauthorized user than that of the plaintext; this effect becomes more emphasized as the fraction of 
known bits increases. 
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FIG. 4: Left: Comparison between two different cryptosystems with (K, C, L) — (2, 3, 2) (solid line) and (K, C, L) — (2, 4, 2) 
(dashed line). Smaller C- values correspond to higher rate codes and lead to smaller regions in parameter space where perfect 
decryption is possible. Right: Overlap m as function of the corrupting-rate p obtained from equation l|480 for a (K,C,L) = 
(2,6,2) cryptosystem and along the line 7 = 0.8 for (w a , U) T ) = (0.2,0) (solid line) and (iu CT ,w r ) = (0,0) (dashed line). 



To understand the implication of these results let us assume using the cryptosystem described in figure [21 at a 
corruption level chosen of p = 0.1 (which is chosen much smaller that p s to increase the decryption reliability). In 
this case knowing about 70% of the matrices (secret keys) will be sufficient for decrypting the ciphertext. True, there 
is still a need to know the dense matrix D^ 1 for extracting the plaintext itself and the exposed fraction of the secret 
key is significant; but still there is a weakness that may be exploited by a skillful attacker. 

To compare the importance of prior microscopic knowledge of plaintext versus that of the corrupting vector we 
plotted in figure|3|the phase diagram for (w a ,w T ) — {(0.1, 0), (0.2, 0)} and {w a ,w T ) = {(0, 0.1), (0, 0.2)} which describe 
two complementary scenarios (left and right figures respectively). The effect is quite similar, taking into account the 
information provided by the two vectors (the plaintext is unbiased but of length N while the corruption vector is 
biased but of length M). For high 7- values microscopic knowledge of the corrupting vector becomes more informative 
than that of the plaintext, an effect which becomes more emphasized as the fraction of known bits increases. 

In figure^ we compare two cryptosystems with (K,C,L) — (2,4,2) and (K,C,L) — (2,3,2) for (w a ,w T ) = (0,0). 
We see that smaller C values (i.e., higher code rates) will reduce the area of perfect decryption. On the one hand, 
this will increase the secret information required for perfect decryption at each corruption level; on the other hand it 
will reduce the corruption level that can be used and will expose the cryptosystem to attacks based on an exhaustive 
search of corruption vectors. 

The security of a cryptosystem may be compromised without a full recovery of the plaintext; also partial recovery of 
the plaintext may pose a significant threat. To study the effect of partial knowledge of the matrices and plaintext on 
the ability to obtain high overlap between the decrypted ciphertext and plaintext, we conducted several experiments, 
an example of which appears in figure 0] Here we show the overlap obtained m as function of the corruption-rate p 
for a specific cryptosystem (K,C,L) — (2,6,2) along the line 7 = 0.8 and for two different choices of w a . Prior to 
the dynamical transition points both ciphertexts are decrypted perfectly; this corresponds to corruption and partial 
knowledge levels below the solid and dashed lines of figure |2 

Above the dynamical transition point, new suboptimal solutions are created and the overlap value obtained dete- 
riorates with the corruption level. However, the two different choices of u^-values lead to two different deterioration 
patterns: while overlap in the system with no microscopic knowledge of the plaintext deteriorates very rapidly, the 
system with w a = 0.2 provides solutions with high overlap values even if the corruption is high. As a consequence, we 
see that the effect of microscopic knowledge goes beyond a shift in the dynamical transition point; it also influences 
decryption beyond that point (in fact, it goes even beyond Shannon's limit). 



VI. BASIN OF ATTRACTION 



The increasingly narrowing basin of attraction for the ferromagnetic solution, as the connectivity values K, C and 
L — > 00, is central to the security level offered by the cryptosystem. The effect has been reported in a number of 
papers in the statistical physics 0, and information-theory [f| literature; in this section we will show that the 
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basin of attraction shrinks as the connectivity increases, to a value of 0{1/K) as K, C — » oo. 

To provide a rough evaluation of the basin of attraction (BOA) for obtaining the ferromagnetic solution we focus on 
Eq. J5J) in the limit K, C — > oo. BOA clearly depends on the algorithm used; here we focus on the Belief Propagation 
(BP) algorithm, which is empirically known to be the best practical algorithm for solving problems of the current 
type. As far as we explored, no other schemes such as the naive mean field and the Belief Revision algorithms exhibit 
better performance than BP, which implies that our consideration on BP is at least of a certain practical significance 
(Survey Propagation has not yet been tested for these systems). 

Let us represent prior knowledge on plain text £ and noise £ (in Ising spin representation) as the prior probabilities 

_ exp(F CTI q t ) 

PA<7 *> ~ 2cosh(^)' (51) 

" (Tj) - 2 cosher { ' 

respectively. Here, the parameters F a i and F T j express confidence of the prior knowledge per variable, which is a 
generalization of the global prior terms F a ,F T used earlier. Notice that this representation includes the case that 
certain bits are completely determined by setting i^iKor |-Ftj|) — > oo, enabling us to cover various scenarios. In 
the following, we assume that the fraction of completely determined bits is less than 1 when N,M — » oo. Given 
prior probabilities (|51|l and l|52l) . and the indicator function A(<x, r; C, -4) which is the alternative to parity check 
equation J3J, the Bayesian framework provides the posterior probability 

pP os t[(TiT) = A( g ,r;€,C,.A)n^i?(^)n^ii?(rO > (53) 

where Z is the normalization constant. Using Eq. (|53|l . one can determine the best possible action for minimizing 
the expected value of a given cost function |14| . As a cost function, we select here the Hamming distance between 
the correct plain text £ and its estimates £, L(£, £) = N — X)j=i this selection naturally offers the maximizer of 
posterior marginal (MPM) decoding £j = sign(mf ) as the optimal estimation strategy, where 

<7 i P* 0st (<7,T), (54) 



<X,T 



is the average of spin o~i over the posterior probability and sign(a;) = 1 for x > and —1, otherwise. 

Computational cost for an exact evaluation of the spin average (154(1 increases as 0(2 N+M ), which implies that 
MPM decoding is practically difficult. An alternative approach is to resort to an approximation such as BP. In the 
current case, this means to iteratively solving the coupled equations (for details of the derivation see |sL ITolp 

™u = -h n m ii n m iv ™ t m = j m n m< u n m w ^ 

mfe = tanh^i + £ ath«J), mfc = tanh(F Tj + £ ath(m^)), (56) 



where J M = ^Iliec"^) £z Ilje.CT^) )> ^(t 1 ) an d ^ t (m) are the sets of indices of non-zero elements in fj,ih row of 
A and B, respectively, and Ai a (i) and A4 T (j) are similarly defined for columns of A and B, respectively. C a (ij)\i 
denotes a set of indices in C a other than i, and similarly for other symbols. The variables rn'Jj and rn' I J i T represent 
pseudo posterior averages o f a,; (or Tj) when the /j,th check J M is left out, and the influence of a newly added J M on Oi 
(or Tj), respectively (see [a, El 10 r details). Using m^ i; the posterior average mf is obtained as 

mf = tanh(F CTi + ^ ath(m^)). (57) 

Let us investigate the condition necessary for finding the correct solution by iterating Eas. (|55|) and i|56|) in the limit 

K, C — > oo. For this purpose, we first employ the gauge transformation £i m uj — > rn^, ^m'j — > rh^, Cj m Z,j ~ ¥ m Jij> 

Cj^Jtj ~ ¥ w-Jtj an( i Jfj. {Y[iec(ti) & T\.j£C T (^) Cm ~ * 1- This decouples the quenched random variables £j and Q from 
Eq.|J5SJ, as Jfj, becomes independent of the quenched variables, and the BP equations can be expressed as 

<i = n <i n m ir Ki = n <i n m w 
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rrfa = tanh(if& + E ath(m^)), m^.=tanh(F/0+ £ ath (™^))- (59) 

ueM°{i)\tJ. v£M T {j)\n 

The expression of the correct solution is also converted to = 1 and mT_- = 1. Notice that any state which is 
characterized by decreasing absolute values \mZi\ < 1 — e and < 1 — e for an arbitrary fixed positive number 

e > is attracted to a locally stable solution ~ 0, ■ ~ 0, = tanh(Fj CT ^) and ■ = tanh(FJ^ ) for K — > oo 
in a single update since products on the right hand sides of Eq. (|58|l vanish. To provide a rough evaluation of the 
BOA for the correct (ferromagnetic) solution = 1 and m T ^ — 1, let us assume that and m r ^ are randomly 
distributed at 1 — e(K) and —(1 — e(-?0) with probabilities 1 — p(K) and p(K), respectively, where e(K) and p(K) 
are small parameters to characterize the BOA for a large K. Under this assumption, and rh^j are distributed at 
±(1 - e{K)) K+L - ±(1 - e{K)) K with probability (1 ± (1 - 2p(K)) K+L ) /2 ~ (1 ± (1 - 2p{K)) K ) /2, respectively If 
either (1 — e(K)) K or (1 — 2p(K)) K is negligible, the absolute values of and mZj become sufficiently smaller than 
1, and therefore, the state is trapped in a locally stable solution in the second iteration [19|. This implies that the 
critical condition is given by e(K) ~ 0(1/ K ) and p(K) ~ 0(1/ K) for large K. In terms of the macroscopic overlap, 
this means vnP cr w 1 — 0(1/ K). 



VII. RELIABILITY 



Unlike most of the commonly used cryptosystems which are based on a deterministic decryption procedure, the cur- 
rent cryptosystem relies on a probabilistic decryption process. The evaluation of decryption success for an authorized 
user is therefore as important as assessing the level of robustness against attacks. 

In practical scenarios, decryption success generally depends on the plaintext size. Analysis of finite size effects in 
the belief propagation based decryption procedure is difficult. A principled alternative that we pursue here is based 
on evaluating the average error exponent of the current cryptosystem; this provides the expected error-level at any 
given corruption level when maximum likelihood decoding is employed, and therefore represents a lower bound to the 
expected error-rate. Moreover, the corruption levels employed are far below the critical (thermodynamic) transition 
point, we therefore assume that belief propagation decryption will provide similar performance to maximum likelihood 
decoding; clearly, the lower bound will become looser as we get close to the dynamical transition point. 

The average block error rate Pb(p) (i.e., erroneous decrypted plaintexts) takes the form 

P B (p) = e- ME ^, (60) 

where E(p) is the average error exponent per noise level p and M the length of the ciphertext (in the particular case 
of LDPC codes we assume that short loops, which contribute polynomially to the block error probability [13, have 
been removed). The quantity Pb(p) represents the probability by which candidate solutions {er,r} are drawn from 
the set of those satisfying equation (@J (with 7=1; authorized decryption) other than the ones corresponding to the 
true plaintext and corrupting vector, er = £ and r = C, respectively. To evaluate this probability we introduce the 
indicator function 

tf(r)=lim lim \Z^(T;^) Z^(T;/3 2 )] (61) 



(3^oc Ai,2— »iA 



where T = {£, £, .4} collectively denotes the set of quenched variables. The power A £ [0, 1] is used in conjunction 
with the partition functions 

*i(T;A) -EE ^ H{n ' T) z 2 (r ; « = EE^) (62) 

to provide an indicator function as explained below. The Hamiltonian H(cr, t) is given by (|13fl and the trace over spin 
variables is restricted to those configurations satisfying equation 10} . The above partition functions Z\ and Z2 differ 
only in the exclusion of the true plaintext and corrupting vector in the trace over variables; this enables us to identify 
instances where the maximum likelihood decoder chooses solutions that do not match the true (quenched variable) 
vectors. The Hamiltonian \1\\\ is proportional to the magnetizations m a (a) = js X^t °« an d to t(t) = jjJ2i T i- 
Therefore, if the true plaintext and corrupting vectors have the highest magnetizations (decryption success), the 
Boltzmann factor exp[— f3H(cr, r)] will dominate the sum over states in Z2 in the limit j3 — > 00 and W(r) = 0. 
Alternatively, if some other vectors er 7^ £ and t ^ £ have the highest magnetizations of all candidates (decoding 
failure), its Boltzmann factor will dominate both Z\ and Zi so that \&(r) = 1. Separate temperatures 0x,2 and powers 
A1.2 have been introduced to determine whether obtained solutions are physical or not (values of these parameters 
will be obtained via the zero-entropy condition). 
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FIG. 5: Reliability exponent 1631 as a function of the corruption level p for the case K = L — 2 and rates R — 1/2 (dashed 
line) and R — 1/4 (solid line). 

To derive the average error exponent E{p) we take the logarithm of the above indicator function averaged with 
respect to the disorder variables T = {£, £, A] 



The evaluation of I|b3|) is similar in spirit to the analysis of section IIVI For details of this calculation we refer the 
reader to [Isf where we also study and compare the reliability and average error exponents of various low-density 
parity-check codes. 

Results describing E(p) for authorised decryption of the cryptosystem Q are presented in figure [3] where we plot 
E(p) as function of the corruption level p for (K, C, L) — (2, 8, 2) (code-rate 1/4) and (K, C, L) — (2, 4, 2) (code-rate 
1/2) cryptosystems. It is clear that decryption errors decay very fast with the system size as we go away from the 
critical corruption level. For instance, in the case of R = 1/4, using a corruption level of p = 0.13 (Shannon's limit is 
at p = 0.20) and a modest ciphertext size of M = 1000 will result in a negligible block error probability Pg = 10~ n . 



In this paper we have analyzed several security issues related to the recently suggested public-key cryptosystem of |4| . 
The suggested cryptosystem is based on the computational difficulty of decomposing a dense matrix into a combination 
of dense and sparse matrices (obeying certain statistics) which is a known hard computational problem. We have 
considered several attack scenarios in which unauthorized parties have acquired partial knowledge of one or more of 
the private keys and/or microscopic knowledge of the plaintext and/or the 'corrupting vector'. The analysis follows 
standard statistical mechanical methods of dealing with diluted spin systems within replica symmetric considerations. 
Of central importance to the unauthorized decryption is the dynamical transition which defines decryption success in 
practical situations. Our phase diagrams show the dynamical threshold as a function of the partial acquired knowledge 
of the private key; they describe regions with perfect- (m — 1) or partial/null decryption success (|m| < 1). 

Public-key cryptosystems play an important role in modern communications. The increasing demand for secure 
transmission of information has lead to the invention of novel cryptosystems in recent years. To this extent and 
based on the insight gained by statistical physics analyses of error-correcting codes a new family of cryptosystems 
was suggested in This paper constitutes a first step in studying this class of cryptosystems by considering the 
potential success of possible attacks. 

Several future research directions aimed at improving the security and reliability of this cryptosystem may in- 
clude studying the efficacy of irregular code constructions and the use of novel decryption methods such as survey 
propagation .9] for pushing the dynamical transition point closer to the information theoretic limits. 



E(p) = Jim — log (*(r)) r 



(63) 



VIII. DISCUSSION 
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